CVE-2026-29778
Published: 07 March 2026
Summary
CVE-2026-29778 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Pyload-Ng Project Pyload-Ng. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-29778 is a path traversal vulnerability (CWE-23) in pyLoad, a free and open-source download manager written in Python. The issue affects the edit_package() function, which inadequately sanitizes the pack_folder parameter by relying on a single-pass string replacement of "../". This protection can be bypassed using crafted recursive traversal sequences. Vulnerable versions range from 0.5.0b3.dev13 to 0.5.0b3.dev96, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).
The vulnerability can be exploited by low-privilege authenticated users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables directory traversal, resulting in high integrity impact (I:H), such as unauthorized modifications to files outside the intended directory, alongside low availability impact (A:L) and no confidentiality loss (C:N).
pyLoad has patched this issue in version 0.5.0b3.dev97. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10162
Vulnerability details
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be…
more
bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in network-accessible pyLoad web function directly enables exploitation of the public-facing app (T1190) and facilitates unauthorized stored file modifications outside intended directories (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of pack_folder input to reject path traversal sequences such as recursive ../ patterns before they reach edit_package().
Enforces that only authorized file-system operations within the intended package directory are permitted, blocking the unauthorized modifications enabled by the traversal.
Limits the write privileges of authenticated users so that even a successful traversal yields minimal ability to alter files outside the designated scope.